================================================================== BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report+0x88/0x158 lib/list_debug.c:62 Read of size 8 at addr ffff0000c2ff6550 by task syz-executor/6425 CPU: 0 UID: 0 PID: 6425 Comm: syz-executor Not tainted 6.12.0-syzkaller-g7b1d1d4cfac0 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:484 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:377 [inline] print_report+0x198/0x538 mm/kasan/report.c:488 kasan_report+0xd8/0x138 mm/kasan/report.c:601 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_del_entry_valid_or_report+0x88/0x158 lib/list_debug.c:62 __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x40/0x258 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x194/0x38c net/bluetooth/l2cap_sock.c:1599 l2cap_chan_del+0xb8/0x470 net/bluetooth/l2cap_core.c:658 l2cap_conn_del+0x2b8/0x510 net/bluetooth/l2cap_core.c:1785 l2cap_disconn_cfm+0x90/0xe0 net/bluetooth/l2cap_core.c:7299 hci_disconn_cfm include/net/bluetooth/hci_core.h:1975 [inline] hci_conn_hash_flush+0x100/0x220 net/bluetooth/hci_conn.c:2592 hci_dev_close_sync+0x854/0x10c0 net/bluetooth/hci_sync.c:5205 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_unregister_dev+0x1f8/0x4b8 net/bluetooth/hci_core.c:2698 vhci_release+0x7c/0xd0 drivers/bluetooth/hci_vhci.c:664 __fput+0x1bc/0x75c fs/file_table.c:431 ____fput+0x20/0x30 fs/file_table.c:459 task_work_run+0x230/0x2e0 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0x4ec/0x1ad0 kernel/exit.c:939 do_group_exit+0x194/0x22c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] pid_child_should_wake+0x0/0x1dc kernel/exit.c:1097 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 44: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:257 [inline] __do_kmalloc_node mm/slub.c:4264 [inline] __kmalloc_node_track_caller_noprof+0x2d0/0x4d8 mm/slub.c:4283 kmalloc_reserve+0x144/0x280 net/core/skbuff.c:609 pskb_expand_head+0x194/0x1094 net/core/skbuff.c:2275 netlink_trim+0x160/0x204 net/netlink/af_netlink.c:1298 netlink_broadcast_filtered+0x7c/0x10ec net/netlink/af_netlink.c:1504 nlmsg_multicast_filtered include/net/netlink.h:1125 [inline] nlmsg_multicast include/net/netlink.h:1144 [inline] nlmsg_notify+0xfc/0x1d8 net/netlink/af_netlink.c:2579 rtnl_notify net/core/rtnetlink.c:786 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:4128 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4144 [inline] rtmsg_ifinfo+0x138/0x188 net/core/rtnetlink.c:4150 netdev_state_change+0x1a8/0x238 net/core/dev.c:1380 linkwatch_do_dev+0x108/0x1a8 net/core/link_watch.c:177 __linkwatch_run_queue+0x3a0/0x700 net/core/link_watch.c:234 linkwatch_event+0x58/0x68 net/core/link_watch.c:277 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3391 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 Freed by task 44: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_free_info+0x54/0x6c mm/kasan/generic.c:579 poison_slab_object mm/kasan/common.c:247 [inline] __kasan_slab_free+0x64/0x8c mm/kasan/common.c:264 kasan_slab_free include/linux/kasan.h:230 [inline] slab_free_hook mm/slub.c:2342 [inline] slab_free mm/slub.c:4579 [inline] kfree+0x184/0x47c mm/slub.c:4727 skb_kfree_head net/core/skbuff.c:1086 [inline] skb_free_head+0xf4/0x1bc net/core/skbuff.c:1098 skb_release_data+0x484/0x618 net/core/skbuff.c:1125 skb_release_all net/core/skbuff.c:1190 [inline] __kfree_skb net/core/skbuff.c:1204 [inline] consume_skb+0xb0/0x130 net/core/skbuff.c:1436 netlink_broadcast_filtered+0xf68/0x10ec net/netlink/af_netlink.c:1527 nlmsg_multicast_filtered include/net/netlink.h:1125 [inline] nlmsg_multicast include/net/netlink.h:1144 [inline] nlmsg_notify+0xfc/0x1d8 net/netlink/af_netlink.c:2579 rtnl_notify net/core/rtnetlink.c:786 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:4128 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:4144 [inline] rtmsg_ifinfo+0x138/0x188 net/core/rtnetlink.c:4150 netdev_state_change+0x1a8/0x238 net/core/dev.c:1380 linkwatch_do_dev+0x108/0x1a8 net/core/link_watch.c:177 __linkwatch_run_queue+0x3a0/0x700 net/core/link_watch.c:234 linkwatch_event+0x58/0x68 net/core/link_watch.c:277 process_one_work+0x7bc/0x1600 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x97c/0xeec kernel/workqueue.c:3391 kthread+0x288/0x310 kernel/kthread.c:389 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:862 The buggy address belongs to the object at ffff0000c2ff6000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1360 bytes inside of freed 2048-byte region [ffff0000c2ff6000, ffff0000c2ff6800) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff0000c2ff4000 pfn:0x102ff0 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x5ffc00000000240(workingset|head|node=0|zone=2|lastcpupid=0x7ff) page_type: f5(slab) raw: 05ffc00000000240 ffff0000c0002000 fffffdffc3256e10 fffffdffc319c210 raw: ffff0000c2ff4000 0000000000080003 00000001f5000000 0000000000000000 head: 05ffc00000000240 ffff0000c0002000 fffffdffc3256e10 fffffdffc319c210 head: ffff0000c2ff4000 0000000000080003 00000001f5000000 0000000000000000 head: 05ffc00000000003 fffffdffc30bfc01 ffffffffffffffff 0000000000000000 head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c2ff6400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000c2ff6480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000c2ff6500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c2ff6580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000c2ff6600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== list_del corruption. prev->next should be ffff0000ce927550, but was 000000070006003c. (prev=ffff0000c2ff6550) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:64! Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 0 UID: 0 PID: 6425 Comm: syz-executor Tainted: G B 6.12.0-syzkaller-g7b1d1d4cfac0 #0 Tainted: [B]=BAD_PAGE Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __list_del_entry_valid_or_report+0x13c/0x158 lib/list_debug.c:62 lr : __list_del_entry_valid_or_report+0x13c/0x158 lib/list_debug.c:62 sp : ffff8000a3a17710 x29: ffff8000a3a17710 x28: dfff800000000000 x27: ffff0000ce92000c x26: ffff0000ce920480 x25: 1fffe00019d24002 x24: dfff800000000000 x23: dfff800000000000 x22: dfff800000000000 x21: ffff0000c2ff6550 x20: ffff0000c2ff6550 x19: ffff0000ce927550 x18: 1fffe000366c6876 x17: ffff80008f81d000 x16: ffff80008b4b6a58 x15: 0000000000000001 x14: 1fffe000366c9320 x13: ffff8000a3a18000 x12: ffff8000a3a16fc0 x11: 0000000000000001 x10: 0000000000ff0100 x9 : d3161eb994c4b600 x8 : d3161eb994c4b600 x7 : 1fffe000366c6877 x6 : ffff8000802c419c x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0000e71a5ac0 x1 : 0000000100000000 x0 : 000000000000006d Call trace: __list_del_entry_valid_or_report+0x13c/0x158 lib/list_debug.c:62 (P) __list_del_entry_valid_or_report+0x13c/0x158 lib/list_debug.c:62 (L) __list_del_entry_valid include/linux/list.h:124 [inline] __list_del_entry include/linux/list.h:215 [inline] list_del_init include/linux/list.h:287 [inline] bt_accept_unlink+0x40/0x258 net/bluetooth/af_bluetooth.c:256 l2cap_sock_teardown_cb+0x194/0x38c net/bluetooth/l2cap_sock.c:1599 l2cap_chan_del+0xb8/0x470 net/bluetooth/l2cap_core.c:658 l2cap_conn_del+0x2b8/0x510 net/bluetooth/l2cap_core.c:1785 l2cap_disconn_cfm+0x90/0xe0 net/bluetooth/l2cap_core.c:7299 hci_disconn_cfm include/net/bluetooth/hci_core.h:1975 [inline] hci_conn_hash_flush+0x100/0x220 net/bluetooth/hci_conn.c:2592 hci_dev_close_sync+0x854/0x10c0 net/bluetooth/hci_sync.c:5205 hci_dev_do_close net/bluetooth/hci_core.c:483 [inline] hci_unregister_dev+0x1f8/0x4b8 net/bluetooth/hci_core.c:2698 vhci_release+0x7c/0xd0 drivers/bluetooth/hci_vhci.c:664 __fput+0x1bc/0x75c fs/file_table.c:431 ____fput+0x20/0x30 fs/file_table.c:459 task_work_run+0x230/0x2e0 kernel/task_work.c:239 exit_task_work include/linux/task_work.h:43 [inline] do_exit+0x4ec/0x1ad0 kernel/exit.c:939 do_group_exit+0x194/0x22c kernel/exit.c:1088 __do_sys_exit_group kernel/exit.c:1099 [inline] __se_sys_exit_group kernel/exit.c:1097 [inline] pid_child_should_wake+0x0/0x1dc kernel/exit.c:1097 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Code: 91200000 aa1303e1 aa1503e3 95395996 (d4210000) ---[ end trace 0000000000000000 ]---